Photo Credit: Federal Bureau of Investigation
Georgetown University was targeted by an Iranian-backed cyber threat actor dubbed Silent Librarian (a.k.a Cobbalt Dikkens) in April 2020. The group, employed by an Iran-based company named “Mabna Institute,” has been targeting universities since at least 2013 in search of academic materials for the Iranian Revolutionary Guard Corps (IRGC), Iranian universities, and for sale on dedicated Iranian websites.[i] In March 2018, the FBI charged a group of nine hackers affiliated with the Mabna Institute with participating in a coordinated cyber intrusion campaign into computer systems belonging to hundreds of universities worldwide, domestic and foreign private sector companies, and several U.S. government offices. [ii]
In April, Georgetown faculty and students received an email from a fake individual named “Alan Manuel” warning that their access to the university’s learning platform, Canvas, would soon expire.[iii] Other American universities reported similar emails being sent to their faculty and students, each tailored to resemble the targeted university’s platform.[iv] It appears that upon clicking on the links in the malicious emails, victims were directed to a fake login page that was designed to steal their credentials. Notably, the ‘login pages’ were hosted on subdomains that resembled the URL addresses of the targeted universities’ learning platforms.[v] Many of these subdomains are under the domain vnre[.]me, and as of April 2020, directed to IP addresses 104[.]31[.]79[.]23 and 104[.]31[.]78[.]23, [vi] both operated by CloudFlare, an American company offering web infrastructure and security services.[vii] Based on the subdomains associated with the campaign, it appears that other targeted universities include Woodbury University[viii], University of Minnesota, [ix] Seattle Pacific University, [x] University Of Cincinnati, [xi]Johns Hopkins University, [xii] Michigan State University, [xiii] University of South California, [xiv] Northwestern, University of Massachusetts, [xv] University of Western Oregon, [xvi] Michigan State University, [xvii] Missouri State University[xviii] and St. John’s University[xix] in the U.S. Targeted universities in the UK include Oxford University, [xx] Liverpool John Moores University[xxi], University of Wolverhampton, [xxii] University of Bath, [xxiii]University of Westminster[xxiv] and University College London. [xxv] University of New Brunswick[xxvi] and York University[xxvii] in Canada were also targeted as part of this campaign. Most subdomains refer to commonly used online learning platforms such as Canvas, Moodle and Blackboard, suggesting that the attackers sought to collect login credentials for these platforms. One subdomain referred to the Ex Libris Libraries Search and Catalog. [xxviii]
According to the 2018 indictment, the attackers compromised the accounts of thousands of professors at target universities, stealing academic materials at an estimated cost of 3.4 billion USD.[xxx] Through the Mabna Institute, the group delivers such materials to the IRGC and Iranian academic institutions.[xxxi] In addition, individuals at the Mabna Institute also operate online black markets named Megapaper, Gigapaper [xxxii]and Uniaccount,[xxxiii] where they offer stolen credentials and academic journals for sale. A journal would typically be sold for as little as sixty U.S. cents, while other bi-monthly plans offered access to rare journals and leading university accounts for a membership fee ranging from five to fifteen USD. [xxxiv]
Mr. Benjamin Read, a senior manager for cyber espionage analysis at FireEye who teaches Cyber Operations at Georgetown’s Security Studies Program, assesses that the campaign was most likely perpetrated by Silent Librarian. “It matches a bunch of the tactics techniques and procedures (TTPs), and has targeted multiple universities worldwide,” said Mr. Read. “We haven’t been tracking Silent Librarian that closely and only have the domains to review, so can’t make a full confidence attribution, but I would say it is most likely them.”
The “gray zone” operational model, meaning the use of cyber criminals by nation states is not unique to Iran. The Chinese[xxxv] and Russian governments[xxxvi] have similarly employed cybercriminals as part of state-orchestrated campaigns. However, the level of independence that these actors enjoy varies. Some hackers are directly affiliated with the state and “moonlight” by engaging in criminal activities, while other hackers are mostly criminal but cooperate with the government by offering access to stolen data or by carrying out delegated tasks. Both the state and the cybercriminal benefit from such cooperation. While cybercriminals enjoy impunity from persecution by their own government, the state gets to utilize the talent found in its criminal ecosystem and shield itself from potential attribution.
Mr. Read said he would characterize the operation that targeted Georgetown University as mostly state affiliated, even if individual hackers monetize stolen data by selling it on their websites. “They have an official government mission and they are allowed to freelance to supplement their income. We’ve seen that from a number of Iranian groups where they have a day job and if they freelance in order to make extra money that’s their business,” says Mr. Read, “ and that kind of makes sense with this. Stealing academic journals is not your first choice if you want to make a bunch of money.” The sanctions targeting Iran have deprived the country of financial resources and academic ties that would otherwise be required to legally access such materials.
According to Mr. Read, gray zone operations present a unique set of challenges for policymakers due to the fractured nature of cybercriminal operations, which often utilize subcontracting. State-affiliate units, in contrast, mostly carry out an entire operation independently. “In a criminal one you have one group that’s providing the hosting, another person buys IP space and you might have one group that is sending out mass spam emails and they’re getting access, and sell that access to somebody who deploys the ransomware,” said Mr. Read. “The policy response is tricky because it’s hard to go at everything, to know which criminal is going to sell what and where, and which one isn’t.” However, he added, discouraging people from paying ransom could help mitigate sources of revenue for cybercriminal groups that have been improving their capabilities. He also believes that applying diplomatic pressure on countries in Eastern Europe that harbor cybercriminals may help reduce cybercrime operations originating from the region.
Yet in spite of their state-affiliation, the perpetrators were far from covert in their conduct. The group carelessly signed their email with a statement noting that the targeted university is a charitable body with registration number SC014536.[xxxvii] The subdomain naming convention and the wide targeting similarly led to the conclusion that the attackers either lacked the technical expertise of a more sophisticated state-affiliated actor, or simply did not care about being detected. Mr. Read stated that even threat actors affiliated with the same state often vary in their operational and budgetary considerations. In this case, he said, the attackers appear to operate on a limited budget, restricting them from purchasing a more robust and stealthier infrastructure, a task even harder to carry out of an isolated country like Iran. Most importantly, these techniques appear to be working.
Since the indictment against the group was unveiled in 2018, several reports by private cybersecurity companies have highlighted the group’s sustained efforts to target American universities. One such report was published by SecureWorks in September 2019,[xxxviii] and a more recent report was published in October 2020 by Malwarebytes. [xxxix] The continued attacks raise the question of whether the use of indictments as a deterrent, which has become increasingly appealing to policymakers in the U.S. and Europe,[xl] is indeed effective. “Indictments can be important, but alone it’s not going to deter everything. There’s some stuff that’s just tricky to deter,” said Mr. Read.
In Iran’s case, the country will not extradite the hackers given its long-time rivalry with the U.S. Sanctions against the country are already inflicting substantial costs, and the theft of academic journals, according to Mr. Read, is not a large enough threat to warrant additional retaliation. Even in major ransomware attacks such as NotPetya and Wannacry, both of which caused tremendous global damage, policymakers struggled to craft a response and solution for deterring potential threat actors from similar conduct in the future.
Other than intellectual property theft, the hacking of Georgetown email accounts raises concerns over some faculty and students’ past or current affiliation with the U.S. government and the intelligence community, which might expose more sensitive information and undermine U.S. national security. Mr. Read said that another Iranian-backed threat actor, identified by some cyber security researchers as Charming Kitten,[xli] has been known to target current and former administration officials through their private email accounts. Yet, Mr. Read expressed relative confidence in Georgetown’s security posture, specifying two-factor authentication and Google’s G-Suite cloud services platform as factors that help mitigate such risk.
Mr. Read warned, however, that the academic sector in general is particularly vulnerable to cyber-attacks. He explained that universities often lack the business considerations that incentivize the implementation of cybersecurity policies and protections, which often limit some aspects of online activity. The norm of academic freedom also limits employers’ capacity to monitor endpoints used by faculty. In addition, while some online activities could easily raise suspicion on a regular corporate network, academic networks include students who conduct a wide range of activities for personal and academic reasons. Ironically, he added, the fact the universities were early users of internet technology actually adds to their vulnerability: “There are all kinds of weird nooks and crannies and things exposed to the internet because they were used in some biology project in 1987.”
GSSR shared the campaign’s indicators of compromise with Georgetown’s Information Security Office and requested further information on targeted accounts, the extent of compromised information, and how the office plans to better defend against similar threats in the future. The Information Security Office has not responded.
[i] United States V. Gholamreza Rafatnejad, Ehsan Mohammadi, Abdollah Karima, A/K/A “Vahid Karima,” Mostafa Sadeghi, Seyed Ali Mirkarimi, Mohammed Reza Sabahi, Roozbeh Sabahi, Abuzar Gohari Moqadam, And Sajjad Tahmasebi (New York: United States District Court, Southern District of New York, 2018), 2.
[iii] “Bogus Canvas Email,” Georgetown University Information Security Office, accessedNovember 24, 2020, https://security.georgetown.edu/phishing-examples/bogus-canvas-email/
[iv] “Example 235: Expiration Notice,” University of Minnesota Information Technology, April 20, 2020, https://it.umn.edu/phishing/example-235-expiration-notice ; Phishing-E-mail_200324 (Evanston, Illinois: Northwestern Information Technology, 2020), accessed November 24 at https://www.it.northwestern.edu/bin/docs/phishing-examples/phishing-e-mail_200324.pdf ; “Security Alert! New Phishing Scam Targets UMass Amherst Community – Tues., 3/31,” University of Massachusetts Amherst Information Technology, March 31, 2020, https://www.umass.edu/it/news/20200331/securityalertnewphishingscamtargetsumassamherstcommunitytues3310
[v] A search for other alerts on phishing emails sent to universities by Alan Manuel brought up a sample posted by the University of Minnesota IT, directing to the link hxxp://canvas[.]umn[.]vnre[.]me. A follow up search for other subdomains hosted on vnre[.]me on Virustotal and TLS/SSL certificate search engine crt.sh brought up the following domains, which according to Virustotal’s passive DNS records were hosted on IP addresses 104[.]31[.]78[.]23 and 104[.]31[.]79[.]23 as of April 2020:
Michigan State University’s subdomain appears to have redirected users to a URL hosted on domain userpage[.]fu-berlin[.]de, while the email targeting Northwestern directed users to a URL hosted on domain uni-due[.]de both are legitimate domains belonging to universities in Berlin.
Search results were accessed on November 24, 2020 at https://www.virustotal.com/gui/ip-address/18.104.22.168/detection ; https://crt.sh/?q=vnre.me ; https://urlscan.io/result/7c71873f-4f7a-493a-bafb-ebdf7d277cad/
[xxix] Crane Hassold, “Silent Librarian: More to the Story of the Iranian Mabna Institute Indictment,” The PhishLabs Blog, March 26, 2018, https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment
[xxx] United States V. Gholamreza Rafatnejad et.al (New York, 2018), 2.
[xxxi] Ibid, 2-3.
[xxxii] Ibid, 6.
[xxxiii] Hassold, “Silent Librarian: More to the Story of the Iranian Mabna Institute Indictment.”
[xxxv] Nalani Fraser, Fred Plan, Jacqueline O’Leary, Vincent Cannon, Raymond Leong, Dan Perez, Chi-en Shen, “APT41: A Dual Espionage and Cyber Crime Operation,” FireEye Threat Research, August 7, 2019, https://content.fireeye.com/apt-41/website-apt41-blog
[xxxvi] “International Hacker-For-Hire Who Conspired With And Aided Russian FSB Officers Sentenced To Five Years In Prison,” United States Attorney’s Office Northern District of California, May 29, 2018, https://www.justice.gov/usao-ndca/pr/international-hacker-hire-who-conspired-and-aided-russian-fsb-officers-sentenced-five
[xxxvii] “Example 235: Expiration Notice,” University of Minnesota Information Technology, April 20, 2020, https://it.umn.edu/phishing/example-235-expiration-notice ; Phishing-E-mail_200324 (Evanston, Illinois: Northwestern Information Technology, 2020), accessed November 24 at https://www.it.northwestern.edu/bin/docs/phishing-examples/phishing-e-mail_200324.pdf ; “Security Alert! New Phishing Scam Targets UMass Amherst Community – Tues., 3/31,” University of Massachusetts Amherst Information Technology, March 31, 2020, https://www.umass.edu/it/news/20200331/securityalertnewphishingscamtargetsumassamherstcommunitytues3310
[xxxviii] “COBALT DICKENS Goes Back to School…Again,” SecureWorks Counter Threat Unit Research Team, September 11, 2019, https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again
[xxxix] “Silent Librarian APT Right On Schedule For 20/21 Academic Year,” Malwarebytes Threat Intelligence Team, October 14, 2020, https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/
[xl] Julia Schuetze, “Could the German International Arrest Warrant Against a GRU Hacker Prompt European Sanctions?” Council on Foreign Relations Net Politics, May 26, 2020, https://www.cfr.org/blog/could-german-international-arrest-warrant-against-gru-hacker-prompt-european-sanctions
[xli] Lily Hay Newman, “Iranian Hackers Targeted a US Presidential Candidate,” Wired, October 4, 2019, https://www.wired.com/story/iran-hackers-target-us-presidential-candidate/